Differential Privacy (DP) has become the gold standard for protecting individual privacy in data analytics, and the shuffle-DP model has attracted significant attention from both academia and industry due to its favorable balance between privacy and utility. However, existing shuffle-DP protocols rely on a strong assumption: all users behave honestly. In real-world scenarios, adversarial users can exploit this vulnerability through poisoning attacks, compromising both privacy guarantees and the utility of analytical results. While defending against poisoning attacks in the shuffle-DP model has recently gained interest, existing solutions are limited to frequency estimation tasks. To address this issue, we propose the first general defense framework for all union-preserving queries, capable of transforming any shuffle-DP protocol into a version resilient to poisoning attacks. Beyond robust defense against poisoning attacks, our framework achieves high utility of analytical results. Compared to the original shuffle-DP protocol, it retains asymptotically equivalent error in attack-free settings and incurs only a polylogarithmic increase in error when a constant number of attackers are present. We demonstrate the generality of our framework on several common queries, including summation, frequency estimation, and range counting. Experimental results confirm that our approach effectively defends against poisoning attacks while maintaining strong utility and communication efficiency.

翻译：差分隐私已成为数据分析中保护个体隐私的黄金标准，而混洗差分隐私模型因其在隐私性与可用性之间的良好平衡，吸引了学术界与工业界的广泛关注。然而，现有混洗差分隐私协议依赖于一个强假设：所有用户行为诚实。现实场景中，恶意用户可能通过投毒攻击利用这一漏洞，既损害隐私保证，又影响分析结果的可用性。尽管近期对混洗差分隐私模型中投毒攻击的防御研究兴起，现有解决方案仍局限于频率估计任务。针对这一问题，我们提出首个适用于所有并集保持查询的通用防御框架，能够将任意混洗差分隐私协议转化为抗投毒攻击的版本。该框架不仅提供对投毒攻击的鲁棒防御，还能实现分析结果的高可用性。与原始混洗差分隐私协议相比，在无攻击场景下框架保持渐近等效误差，而当存在常数多个攻击者时仅引入多项式对数级的误差增长。我们通过求和、频率估计及范围计数等常见查询展示了框架的通用性。实验结果证实，该方法能在有效防御投毒攻击的同时，保持强可用性与通信效率。